Mark's Digital Media and Tech Law Column

Mark Leiser: I am a PhD Candidate in Cyber Law at the University of Strathclyde in Glasgow. I have written submissions for the Leveson Inquiry into the culture and ethics of the media and for the...

... Scottish Parliament on the use of social media during trials. My PhD is supervised by Professor Andrew Murray at the London School of Economics and focuses on the effectiveness of cyber-regulation. My research and interests revolve around main areas of Internet law and policy including internet governance & regulation, democracy, social media, privacy, and intellectual property. My PhD research focuses on developing a system of modelling to measure the effectiveness and legitimacy of Internet Regulation. I write in a personal capacity.

Read more
5 November 2013 - 10:42am | posted by | 4 comments

Tesco and the Data Protection Act: are facial recognition advertising devices a breach of the law?

Controversial: Tesco plans to introduce facial recognition technologyControversial: Tesco plans to introduce facial recognition technology

The news from Tesco that the supermarket giant plans to install facial recognition devices that can serve up more relevant advertising to customers on miniature screens while they stand at the tills has sparked ferocious debate.

The technology will make educated guesses on customers’ age and sex before generating advertisements based on whichever demographic Tesco deems that they fall into. Already, questions have been raised about the possible legal issues under the Data Protection Act of both the device and how Tesco processes the information gathered from the cameras.

A spokeswoman for Tesco was quick to insist that there is no risk to customers’ personal information: "No data or images are collected or stored and the system does not use eyeball scanners or facial-recognition technology," she said.

The Data Protection Act governs how organisations process and store personal data. What can be determined so far is what Tesco has told us: the system doesn’t store information and does not process data for the purposes of the Data Protection Act.

If no data is stored in Tesco’s computer system, then it probably doesn’t count as personal data under Section 1 of the Data Protection Act 1998. In a strict interpretation of the 1998 Act, this would be the case.

However, we have moved on to a more flexible understanding of the meaning of personal data. For the Article 29 Working Group, personal data is interpreted to mean “am I likely to be identifiable from this data?”

For example, a postcode may have a hundred people living within it, and a postcode by itself would not be personal data because it doesn’t relate to any one of those hundred people. However, what if the postcode only had one person living within it? Then the postcode would be considered an identifiable detail and therefore personal data.

The privacy directive makes this clear: if the person is identifiable, then it is personal data even if the data controller is unable to identify the individual. For the Article 29 Working Group, it’s about the principle, so that it can change with future technologies that capture personal information.

Why is this important? Because a data controller may collect information on subjects that does not look personal in any way, shape, or form. However, if that information was to fall into the hands of someone who was looking to use the data for nefarious purposes, then the data could suddenly make a person identifiable.

If it isn’t personal data then we don’t have to worry about any of the collection and processes, but this isn’t clear from the little we can gleam from the technology in present circumstances.

Let’s make some assumptions about the way the technology works; a customer stands at the till and a camera scans the face. Based on an algorithm, the camera compares the face to other physical characteristics that readily identify a man or a woman; for example, a beard or a moustache or long hair.

The information is then used to determine what advertisements to place on the screen. One school of thought is that the data would be personal. This is because the information grabbed by the camera will be the same that one can use to identify oneself in the image that Tesco has grabbed. The data processed refers to the identifiable person.

But what if the information is not considered to be personal data under the Data Protection Act? Well, Tesco can store it all. In fact, there might not be any engagement with the Article 8 Right to Privacy in the European Convention of Human Rights. In Naomi Campbell v MGN, Lady Hale made clear that a person who pops out to buy a pint of milk has no reasonable expectation of privacy.

This is good law, and Tesco may have a valid case when arguing that its new ad service doesn’t violate the Data Protection Act.


5 Nov 2013 - 14:19
sydnadim's picture

This is a red herring. The technology they are using was developed by Quividi (Amscreen invested in April this year).

All it does is look at the structure of someone's face (position of eyes, nose, ears etc) analyses it on the fly and and gives a pretty good guess at the age and sex of that individual.

There is no personal data stored.

It's a great idea and something that we are also using to help give more relevant advertising to the public on a new product we are developing. A win-win in many ways.

Personal privacy is a big issue. However let's not set the hare running in the wrong direction. There are much more relevant challenges to focus on such as Facebook and government use of our data.

5 Nov 2013 - 15:37
jdoel's picture

the chap above is spot on - it's called anonymous video analytics to us laymen

See how it works in this video straight out of the tomorrow's world archive

Major win for Tesco is that they can measure how engaged their shoppers are with the content by demographic - which gets even more interesting when you can look at this alongside their e-pos data.

Have lots of AVA screens around the store and you could create heat maps of customer flow with demographic info overlaid (gender, age, couples / families shopping together etc.)

Link the club card with the screens using a customer pull mechanic e.g. coupons on demand and you have the potential to log which ad content is most effective at an individual customer level (which can then be plugged into everything tesco do with that customer).

Because tesco hold so much customer data on their club cards the biggest potential winner in the short term is the software company, who could improve the accuracy of their demographic profiling capability (if they could do this in a legal way and if tesco would let them which they wont). We once used the same technology in Comet (RIP) and it mistook my young, Asian, male colleague with an elderly, white, lady - c'mon!! who hasn't now?!

tesco famously got burnt with instore signage so the only surprise to me is how long it's taken for them to get involved again.

All good fun and still nowhere as near as invasive as online stalking techniques

5 Nov 2013 - 16:17
markbatchelor's picture

Identifying customer requirements requires more than just assessing physical characteristics and guestimating age. Imagine errors over age, sex, and matching inappropriate products to individuals - it could be the source of great embarrassment, hilarity, or complaints if not managed smartly. I see a new game on the horizon - individuals waiting for inappropriate recommendations then videoing the upset and annoyance in the checkout queues, and posting them on Vine, Instagram, and YouTube. Let's see.

6 Nov 2013 - 19:09
janeo40069's picture personal data stored. Now please go and READ the DPA. You may notivce that is is not - and with good reason - called the Data Storage Act.



Please sign in or register to comment on this article.

Have your say

Opinion, blogs and columnists - call them what you like - this is the section where people have something to say. You might agree or you might not - whatever opinion you have make your views known in comments. Views of writers are not necessarily those of The Drum. If you would like to contribute a comment piece, email your idea to